Most linux security administrators know or should know something like Grsecurity (grsecurity.net). It’s great and most powerfull patch for kernel which improve security against malware and exploits. There have plenty techniques that can detect and kill exploits, you can get more knowledge from here: https://grsecurity.net/features.php. KSPP’s devlopers are implementing most of grsec options into linux.

For a long time linux kernel hasn’t had any exploit technique mitigations until now, KSPP’s devlopers are implementing most of grsec options to the linux distributions slowly but stady. Many people don’t know about it. Unfortunately every linux distribution don’t have it implemented by default. The only way is to compile kernel by yourself. I’m gonna show you how to do it.  More information you can find here: https://github.com/a13xp0p0v/kconfig-hardened-check  Either you can find ython’s script will check your config kernel options whether features are implemented (most of them will be disable by default).

[root@proton ~]# git clone https://github.com/a13xp0p0v/kconfig-hardened-check.git
[root@proton ~]# cd /root/kconfig-hardened-check/
[root@proton ~]# kconfig-hardened-check]# ./kconfig-hardened-check.py -c /boot/config-5.0.7 (add your config instead my)

As you can see my kernel has implemented many and very important KSPP feature. Let’s go to do the same.
https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.0.7.tar.xz (during on writing this post it’s the newest kernel).

[root@proton ~]# wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.0.7.tar.xz
[root@proton ~]# cd /root/linux-5.0.7.tar.xz
[root@proton ~]# cp linux-5.0.7.tar.xz /usr/src/kernels
[root@proton ~]# tar -zxvf linux-5.0.7.tar.xz
[root@proton ~]# cd linux-5.0.7

And now important part. Centos 7 has to old gcc version and many features will be unavailable. That’s why gcc need to be upgraded.

[root@proton 5.0.7]# yum install centos-release-scl -y
[root@proton 5.0.7]# yum install -y devtoolset-8 devtoolset-8-binutils-devel devtoolset-8-elfutils-libelf-devel devtoolset-8-gcc devtoolset-8-gcc-c++ devtoolset-8-gcc-gdb-plugin devtoolset-8-gcc-plugin-devel
[root@proton 5.0.7]# yum -y install bc flex bison openssl-devel ncurses-devel

Next important part. We are still using old gcc (check gcc -v) , we need to switch to the newer gcc-8 version.

[root@proton 5.0.7]# scl enable devtoolset-8 bash (it’s not persistent ! if you press exit or bash or screen you have to repeat this command !).

Since now everything it’s depend from you. Based on my screen you need to switch values in .config using vim or some similar editor.
Important ! Disable USERMODEHELPER in .config

CONFIG_STATIC_USERMODEHELPER

[root@proton 5.0.7]# cp /boot/config-3.10.0-957.10.1.el7.x86_64 .config
[root@proton 5.0.7]# vim .config

If you have done, let’s go compile our kernel.

[root@proton 5.0.7]# yum install rpm-build -y
[root@proton 5.0.7]# make -j8 rpm-pkg

It takes a while be patient :))

When the build completes, your custom kernel rpm files will be found in the root’s /root/rpmbuild/RPMS/x86_64…. (find kernel*.rpm)

[root@proton ~]# cd /root/rpmbuild/RPMS/x86_64
[root@proton ~]# rpm -e kernel-headers --nodeps
[root@proton ~]# rpm -ivh kernel*.rpm
[root@proton ~]# grubby --set-default /boot/vmlinuz-5.0.7
[root@proton ~]# reboot
[root@proton ~]# uname -a
Linux proton.edu.pl 5.0.7 #1 SMP Sat Apr 13 17:51:23 CEST 2019 x86_64 x86_64 x86_64 GNU/Linux

Since now, you can enjoy new kernel with many security improvments. Below you can find link to the options match to which types of attacks.

https://github.com/a13xp0p0v/linux-kernel-defence-map

Sources:
https://github.com/a13xp0p0v
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

One of the best presentation regarding KSPP. It’s all about it.
https://outflux.net/slides/2018/lca/kspp.pdf

1 KOMENTARZ

ZOSTAW ODPOWIEDŹ

Please enter your comment!
Please enter your name here